[ale] How to test your public internet connection for open ports

Ron Frazier atllinuxenthinfo at c3energy.com
Fri Feb 11 02:56:00 EST 2011


Hi David,

As you said, nothing personal meant in anything I say.  For the record, 
I don't have any interest in Steve Gibson, other than that I find his 
services, products, and advice useful in securing my computers and my 
network.  See comments in line.

On 02/10/2011 08:51 PM, David Tomaschik wrote:

> So, apparently GMail's web interface ate my earlier post.  It's a shame.
>
> Note: This is not directed towards Ron or anyone else on the list, and I
> hope it is not taken personally.  I'm also not going to call Steve
> Gibson a hack, even if he might be called that by other audiences.  I'm
> not interested in Steve Gibson, just the (poor) advice he gives.
>
> Yes, we need someone who can break down security issues into terms that
> are useful for the average consumer.  That being said, it should be
> someone who accurately describes security issues, countermeasures, and
> implications.  Steve Gibson has, in my eyes, failed that on several
> occasions.
>
> 1.) The description of "stealthed" vs. "closed" ports, and the security
> implications of the two.  His description of a stealthed port as a "good
> thing" and a closed port as a "bad" thing is ridiculous.  If the port is
> closed, the most information an attacker will glean from that is that
> there is a host on that IP address.  He'll get that from the lack of a
> ICMP Host Unreachable response anyway.  (See MHW's post about that.)
>
>    

There is a possibility that, during a system patch or configuration 
change, ports that were previously closed may become open.  If Joe 
Cracker's bot previously logged my address as having an active host, 
then it's logical that it may come back periodically and recheck my 
ports.  I'd just rather that it didn't find me at all.

Now, you guys are telling me, that if the bot randomly scans my public 
IP address, 76.97.???.???, and if my ports are stealthed and I don't 
send ANY response, and if I don't respond to ICMP pings and such, that 
the bot is still going to know I'm there?  Come on!  I'm not buying that 
for 5 seconds unless someone explains exactly how that will occur.

What I think you're saying is that all or most of the other addresses 
that are scanned on the 76.97.???.??? space will have hosts and that 
they will respond with a "closed" port and a host unreachable code or 
something.  Therefore, mine will be conspicuous by it's absence.  There 
are two problems with that theory.  A) The address space may not be 
full, and B) Most of the other users are going to be home users just 
like me with with routers stealthing their ports too.  So, the port 
scanner will see large blocks of non responses.

If I were programming the bot, I do NOT think I would set it to pay 
special attention and focus attacks on non responses.

I believed last week, and I still believe this week, that my home 
network is safer by operating with a stealth firewall at the edge, even 
if the benefit is not tremendous over that of a non stealth firewall.

The consumer needs simple, direct advice.  So, my advice, derived from 
Steve's is, buy a home router which stealths all the ports, configure it 
according to the directions I've given, check it with ShieldsUp (or some 
more comprehensive tool that's easy to use that I don't know about), and 
that part of your network setup is done.  You're as safe as you can be 
within your budget and knowledge level from unsolicited attacks.

> 2.) Misleading descriptions of the implications of open ports.  If you
> run GRC's "Shields Up" with 443 open, you'll receive this message: "The
> presence of this secure web port in your system implies that this system
> is establishing secure connections with web browsers. The number one
> reason for doing this is the transmission of credit card information.
> This implies that the successful intruder could access the web server's
> credit card database and score bigtime. This is a VERY bad port to have
> open unless you are actually conducting secure web commerce!"  There are
> a number of other uses of HTTPS, and implied in this message is that
> being compromised by HTTPS makes it easier for the attacker to gain
> access to the database than any other compromise, leading to users
> thinking that other open ports are "less important".
>
>    

I don't have 443 open.  I clicked on the green light I got in the grid 
and it cross referenced to his port database, which has different text.  
I'll admit the language is awkward.  I think what he's trying to get 
across to the consumer, is that if you are a consumer and you have 443 
open and you didn't open it on purpose, you have a potentially big 
problem.  I have no problem with that.  I think the complaint is a bit 
nit picky.

> 3.) Advocating blocking ICMP echo request (ping) packets.  Again, from
> "Shields Up": "Ping Reply: RECEIVED (FAILED) — Your system REPLIED to
> our Ping (ICMP Echo) requests, making it visible on the Internet. Most
> personal firewalls can be configured to block, drop, and ignore such
> ping requests in order to better hide systems from hackers. This is
> highly recommended since "Ping" is among the oldest and most common
> methods used to locate systems prior to further exploitation."  RFC 1122
> [1] specifically requires that hosts on the Internet respond to ICMP
> echo requests with an ICMP echo reply.  Misguided users might end up
> blocking all ICMP packets (I have seen at least one consumer router with
> an option to block all ICMP), resulting in the breaking of path MTU
> discovery, ICMP redirection (which admittedly has its own issues), and
> the loss of Host/Network unreachable messages.  (In addition to the
> dozens of other messages carried by ICMP.)  This might also make the
> user unable to send outbound pings, or receive their replies.  (Again,
> dropping ICMP = bad.)  Even Steve himself admits[2] that this breaks the
> way things are designed to work.
>
>    

As a home user, I've been blocking outside pings for years, as long as 
I've had broadband.  It's all part of being invisible.  I can't speak to 
whether the router is blocking other ICMP.  I've never had any ill 
affects that I know of.  There is absolutely no reason anyone outside my 
house needs to ping me, and I have serious doubts as to whether I need 
to receive any other ICMP traffic.  Blocking ping, and ICMP, may break 
certain things enterprise networks expect.  I don't have a problem with 
that.  I don't have an enterprise network.  I have a home network that I 
want to be as safe as possible and one that does what I need it to do by 
giving me access to the internet.  I really don't care if that violates 
RFC 1122.  Also, the internet was "designed to work" in the 60's when 
the types of security issues we face today, with millions of automated 
viruses roaming around, hadn't even been dreamed of.  So, maybe the way 
it was designed to work, isn't the safest way to have it work, in the 
modern era.

> 4.) Steve suggests connecting unprotected hosts directly to the
> Internet.  On the "Shields Up" results page, he has a section labeled
> "Detecting Ports Blocked by Your ISP" where he states "If your system is
> operating behind a residential "NAT" router, the router will be acting
> as a natural and excellent hardware firewall. But that's not what you
> want for the moment. You can temporarily remove your NAT router and
> connect an unprotected computer directly to your cable modem or DSL
> line. Or, if you are comfortable reconfiguring your NAT router, you may
> be able to point the router's "DMZ" at one of your computers which has
> been instructed to "trust" our probe IP of [4.79.142.206]. If, after
> doing so, most of the service ports change to either open or closed, you
> have succeeded and any remaining stealth are being blocked by your ISP."
>   In 2004, the Internet Storm Center estimated that an unpatched Windows
> system would only last 20 minutes online before being compromised.[3]
> Suggesting that ANY "unprotected" system be connected to the Internet
> for any amount of time is terrible advice, especially from someone who
> calls himself a security expert.
>
>    

That's very interesting, and I hadn't noted it before.  I tried the 
procedure by connecting my laptop directly to the cable modem.  I DO 
have the Linux firewall running, controlled by Firestarter.  Everything 
comes back closed except 135, 136, 137, 138, 139, and 445, which are 
stealthed.  That's very intriguing.  I gues Comcast is blocking those.

I believe this page is several years old, and probably hasn't been 
touched for a while.  However, I agree with you that he doesn't properly 
warn the customer of the danger of trying this experiment.  Most of his 
listeners would probably have a patched Windows system, with a firewall 
running unless it's ancient.  You'd probably have to turn off the 
software firewall to make this work, and that would make me nervous.  It 
should probably be reworded.

Perhaps you could point it out in a positive manner at 
http://www.grc.com/feedback .  He says he reads every post, even if he 
cannot personally reply.

> 5.) Default options on "Shields Up" scan either a handful of common
> service ports or the lowest 1056 TCP ports.  A successful result there
> is significantly misleading to the end user by implying that their
> system is secure.  There is a lot of software, particularly Peer-to-Peer
> software, that uses ports over 1056.  For example, the default
> "/etc/services" (listing "Well Known" ports) on Ubuntu contains 165 TCP
> services with ports over 1056.  Many of these applications (P2P again)
> may use UPnP to open ports on your firewall, so if you haven't done
> EVERYTHING Steve Gibson advocates and have left UPnP enabled, you could
> have applications exposed to the Internet and never know.
>
>    

I cannot speak for him other than to note what's on his website.  The 
scan will cover almost all the common service ports.  Keep in mind that 
the objective is to help protect the user from unsolicited attacks.  If 
they click on a website and invite something in that opens a port that's 
non standard, all bets are off.  If the attacker doesn't have some way 
of starting a custom server on the user's PC, this scan would cover the 
large majority of the ports that could be attackable.  Both I and Steve 
recommend turning off UPNP - specifically to prevent something from 
trying to open a port behind your back.  And, I put that in my prior 
post.  It would not be logical to follow some of the instructions for 
securing your router and not the others.  I think that if the user is 
going to go to this trouble at all, and if he'd heard many podcasts or 
had read a post such as mine, he'd have UPNP off.  Also, if your router 
is stealthing the first 1056 ports properly, it's highly likely that 
it's doing the rest.

Also, the website says that it has been used to scan 88 Million user's 
PC's.  Now, the scan I did took about 1 minute.  So, his server has 
spent 88 Million minutes of CPU thread time doing these scans, all for 
free, for years.  There are 1440 minutes in a day, so a quick 
calculation reveals that the server has spent 61,111 DAYS of CPU thread 
time, or 167 YEARS of CPU thread time doing free scans for all those 
people.  Obviously, the server can run multiple simultaneous threads.  
But, you get the idea.  This is a very large amount of CPU time and 
network bandwidth to provide a service that he's giving the world for 
free.  I, for one, thank him for it.

Finally, if he had scanned all the ports, the CPU load and bandwidth 
requirements would have increased by a factor of 62 which is 65535 / 
1056.  Therefore, each test would take the customer 62 minutes, which 
the customer wouldn't tolerate, AND, with the same resources, he could 
only serve 1.5 Million customers instead of 88 Million.  So, he probably 
made a design decision to make the system such that it would serve the 
most people with the least pain, the least time, and the least cost.  If 
the ShieldsUp test passes, you have a high degree of certainty (but not 
absolute), that you are protected from unsolicited attacks.
> 6.) His "File Sharing" test only checks port 139.  Port 445 is also used
> for the SMB protocol, and has had a number of quite successful exploits.[4]
>
>    

This is a single purpose test designed to expose an old bug in Windows.  
Nothing else.  445 is tested in both other tests.  I recommend people 
run all three.  By the way, you can also test specific addresses if 
you're inclined to.

> 7.) Steve has advocated[5] pointing the DMZ feature on a router to an
> unused IP address so that unsolicited inbound packets are dropped.
> Sounds great, right?  It probably is, unless you're a user who points to
> something that happens to be unused right now, but the next time you
> reboot your computer, you might just get that IP address.  (Sure, if you
> pay close attention, you can put it outside your router's DHCP range,
> but hey, we're talking about "Average consumer", right?)
>
>    

Maybe the average smart consumer.  They have to know enough to know they 
need to seek out advice on security and listen to the podcast.  Also, 
many of his listeners, such as myself, are more advanced.  This is a 
slightly more advanced technique.  Perhaps he should mention that they 
need to set the DHCP server not to distribute LAN addresses in this 
range.  That's what I've done.  My DHCP server distributes xxx.xxx.xxx.2 
- 200 on the LAN.  If I want to forward something to a black hole, I 
send it to 250 or something.  That address will NEVER be allocated.  
Steve likes to give lots of technical detail.  Some listeners will be 
able to absorb it, and some won't.  This might be another thing that 
could be suggested on the feedback page.

> 8.) Steve continues to refer to NAT as security.[5] (And numerous other
> places.)
>
>    

The consumer is going to go look at the store shelf and see "NAT Router" 
on the box.  Steve has to use terminology that they'll understand.  The 
consumer NAT router has NAT, firewall, and routing functionality, so it 
is a security device, whether NAT is providing the security or not.  I 
think one of the Michael's said that part of doing NAT involves stateful 
packet inspection, so it seems to me that all this is pretty intertwined 
anyway.  The consumer thinks, "If I have a NAT router, I have some 
security." - which is true.

By the way, as long as we're discussing NAT, since the cable / dsl modem 
ONLY provides 1 IP on it's ethernet LAN port, as far as I know, then, 
without NAT, the customer could only put 1 PC on the LAN and connect to 
the internet.  That would be unfeasible for most of us.

> I'm not saying Steve hasn't contributed to the field of consumer
> security, and I'm not saying that every bit of advice he gives is crap.
>   But, really, the way security is done needs to be reformed.  It needs
> to be a collaborative effort, and we need to make users understand.
> Steve has said things that misleads users into believing that they are
> secure when they may, in fact, still have vulnerabilities.  I don't
> think he emphasizes user education enough, and I don't believe he has
> paid adequate attention to drive-by downloads, bundled malware, and user
> privacy issues.  Most compromises of home computers are NOT caused by
> services on the host.  Most of the compromises occur because users a)
> download things they shouldn't, b) don't patch, c) use peer-to-peer (see
> a.), and d) don't know better.  Being stealthed doesn't fix a single one
> of those.
>
>    

If you had listened to the last 5 years of his weekly podcast, as I 
have, you'd find that he's all about education.  Everything you 
mentioned has been covered numerous numerous times, usually in great 
detail.  There is far more content there than on his website.  I just 
chose to point out ShieldsUp because of the discussion about routers.  
Why else would he devote 4 hours a week (3 hours prep, 1 hour talk) to 
making a podcast for over 250 weeks, all for free?  He's the most 
dedicated person I know of in terms of protecting the consumer.  He also 
pays his staff to transcribe each podcast so we can have better access 
to it and search it.

No offense intended, but I found your arguments interesting, and 
somewhat valid, but overall nit picky and not compelling from the point 
of view of the consumer.

To me, this seems more like a witch hunt.  Rather than bash every little 
fault, consider the huge amount of time, energy, and money he's invested 
to make all our neighbors, family, and friends who he has influence over 
a bit safer.  I respectfully suggest that, if one were to listen to 
those 5 years of archived podcasts, or even 6 months of them, one would 
have a better perspective on which to form an objective opinion.  At 
least you went and got some quotes from his website to make comments 
on.  This one resource, the podcast, has taught me  more about 
networking and home computer security than my entire prior career (which 
was not focused on those topics, but did involve substantial use of 
computers).

Those interested in gaining such a broader more objective perspective 
may find Steve's podcast at

https://www.grc.com/securitynow.htm (includes low bandwidth versions and 
transcripts)
http://www.twit.tv/sn

Here's a challenge.  I've heard over 250+ of his podcasts.  I've found 
them useful, enlightening, and interesting.  I have implemented many of 
his suggestions in my own home network.  So, perhaps some of you chiding 
me could listen to 10% of that, say 25 podcasts, then report back.  At 
least you'll have a better basis for discussion.

My only motive in making these posts is to help other people.  It 
doesn't do me any good in any other way, to sit in this chair with a 
sore back, to spend dozens of hours typing this.  So, hopefully, it will 
be helpful.  I do appreciate the dialog, by the way.

Sincerely,

Ron

> [1] http://www.faqs.org/rfcs/rfc1122.html
> [2] http://www.grc.com/sn/sn-146.txt
> [3]
> http://www.techrepublic.com/article/study-unpatched-pcs-compromised-in-20-minutes/5314563
> [4] http://www.linklogger.com/TCP445Scan3.htm
> [5] http://www.grc.com/sn/sn-064.txt
>
> --
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list